RSA Perspective: Outrage With A Side Of Salsa

Let the record show that one of the most dramatic expressions of discontent over rampant government surveillance of U.S. citizens and private companies during last week’s RSA Conference in San Francisco went down at a taco joint.

An RSA attendee in Moscone Center, San Francisco. The Conference drew more than 20,000 attendees to San Francisco last week. (Photo by Paul Roberts.)

As the world’s cyber security elite gathered in San Francisco’s Moscone Center for the RSA Security Conference, a group of privacy and online rights activists that go by the name “Vegas 2.0” used donated funds to rent out Chevy’s, a popular Mexican food restaurant located next to the exhibit halls and frequented by conference goers.

According to leaked documents first disclosed by Reuters in December, 2013, RSA was allegedly the recipient of a $10 million payment by the NSA linked to use of NSA-developed encryption technology known as Dual Elliptic Curve. That technology was the preferred method for generating random numbers within its BSafe endpoint security product. That technology eventually was found to be flawed and susceptible to cracking. RSA soon advised customers to discontinue using it.

RSA and parent company EMC have steadfastly defended their early use of the Dual Elliptic Curve technology and denied any wrongdoing. They said their work with the NSA and the National Institute of Standards and Technology (NIST) is standard industry practice.

But publication of the story of the NSA’s behind the scenes dealings with RSA led to immediate and widespread criticism of the company. That gave rise to speaker defections from RSA and the creation of a whole separate event, TrustyCon, to focus on issues related to privacy and civil rights.

The protest at Chevy’s was ingenious. For one thing, it forced otherwise blasé tech conference attendees to focus on ethical and moral issues that many wrote off as a distraction or “first world” problems. As the saying goes: the way to a man’s head is through his stomach. (Or something like that.)

Creative though it was, it’s also easy to overstate the importance of the Vegas 2.0 protest or even Trustycon. Both events, I think, helped channel the voices and actions of a small cadre of principled and high minded security professionals who are deeply concerned about the way that technology is being (mis) used to enable mass surveillance and other kinds of government control.

“RSA has become COMDEX, Black Hat has become RSA and DEFCON has become Black Hat,” one longtime RSA attendee joked to me, citing the three, major North American security conferences. His point: the entire IT security space is drifting inexorably into the mainstream, just from different starting points.

And its true: most RSA events these days look far more ‘Hamptons’ than ‘hackercon.’ Last Wednesday evening, I attended a CSO wine tasting hosted by an up-and-coming threat intelligence startup where the guest of honor was Robert Herjavec – a tech investor best known as a guest on the ABC reality show Shark Tank. Herjavec joked with the audience of well-heeled executives that he’d be happy to talk about his successful security investments, but that most people these days preferred to ask him about his TV show, instead. He didn’t mention the NSA or government spying.

At another after-party, the CEO of a promising start-up lamented the lack of outrage over NSA spying. The Agency, he feared, was ‘getting away’ with mass surveillance of US citizens, the laws be damned.

The truth, I think, is more complicated. For one thing: our mores – let alone laws – haven’t fully adapted to the rapid change wrought by relatively new technology like smart phones. There, users eagerly glom on to new applications and use them to share photos and other sensitive communications, even after warnings about their security protections are issued. It’s like watching those experiments from a few years back in which office workers traded their passwords for candy bars. Just multiply those incidents by a few billion.

More important: our privacy laws still preference the content of letters and phone conversations over so-called “metadata” such as the number that was dialed. But sensor rich mobile phones with GPS, compass, cameras and accelerometers provide a far more valuable tapestry of information that could be gleaned from a phone conversation.

Finally, the links between the government and private sector are becoming ever closer, especially on matters related to cyber security and cyber warfare. In an age of cyber war, cyber security firms are necessarily defense contractors, of a sort. That’s why the Washington DC area, even more than Silicon Valley, is the epicenter of the US IT security industry, and government funding of cyber is one of the few areas of defense spending not slated for cuts in the Obama Administration’s plans to reshape the military.

It probably wasn’t realistic to expect a massive industry trade show like The RSA Conference to be about more than business – the business of IT security. While a conference like RSA might be the recipient of criticism of the IT industry and what might be termed the ‘cyber establishment,’ it’s almost certain not to be the source of it. After all, why bite the hand that feeds you? I’d say that if you want that kind of thing, you probably need to look somewhere else. DEFCON, maybe?